Stolen Target credit card info reported to be up for sale on black market
By Chris O'Brien / Los Angeles Times
More bad news for shoppers who used their credit cards at Target in recent weeks: Many of the 40 million credit cards that the company says were part of a massive data breach are said to be for sale on black markets around the world.
That report comes from KrebsOnSecurity, the website run by cyber-security reporter Brian Krebs, who initially broke the story about the Target breach.
On Friday, Krebs posted another story detailing how he had tracked down phony cards made using information that was stolen as part of the Target data breach:
“Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of 1 million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.”
On Thursday, Target confirmed that someone had hacked into its systems and had stolen 40 million debit and credit cards from stores across the country. The breach apparently lasted from Black Friday to Dec. 15.
As expected, the thieves are using that information obtained from those credit cards to make phony copies that are being sold on black market stores around the world, Krebs found.
At just one site that sells such counterfeit cards, Krebs said, he helped one bank find 100 cards for sale that were made using information obtained from customers who were affected by the Target breach.
The theft is the second-largest credit card breach in U.S. history, exceeded only by a scam that began in 2005 involving retailer TJX Cos. That incident affected at least 45.7 million card users.
Target’s data security troubles and its ensuing public relations nightmare threaten to drive off holiday shoppers during the company’s busiest time of year.
The company has been working around the clock to make sure customers’ questions are answered.
“We are still reaching out to our guests through phone and social media,” said Molly Snyder, a spokeswoman for Target. “We are adding capacity both to our call center and technical systems to meet all of our guests’ needs. In just the last 24 hours, we have quadrupled the capacity of our online REDcard account management site.”
Customers who made purchases by swiping their cards at its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip found on the backs of cards, Target said.
There was no indication the three- or four-digit security numbers visible on the back of the card were affected, Target said. The data breach did not affect online purchases, the company said.
Target hasn’t disclosed exactly how the breach occurred but said it has fixed the problem.
Given the millions of dollars that companies such as Target spend implementing credit card security measures each year, Avivah Litan, a security analyst with Gartner Research, said she believes the theft may have been an inside job.
“The fact this breach can happen with all of their security in place is really alarming,” Litan said.
Other experts theorize that Target’s network was hacked and infiltrated from the outside.
Whatever the case, Jason Oxman, CEO of the Electronics Transaction Association, which represents the payments technology industry, said data breaches like Target’s are generally “heavily organized and sophisticated.”
Annual losses from global credit and debit card fraud are on the rise. Last year, it reached $11.27 billion, up 11.4 percent from the previous year, according to the Nilson Report, which tracks global payments. Even so, Nilson’s publisher David Robertson pointed out that fraud still accounts for less than 6 cents of every $100 spent.
Target representatives wanted to assure customers that they will not be held accountable for any credit or debit card fraud.